Hoaxes, myths,
urban legends





About us


Truth about computer security hysteria
Truth About Computer Security Hysteria

Rob Rosenberger

Blame president's Y2K czar for recent hacker attacks

Rob Rosenberger, Vmyths co-founder
Sunday, 13 February 2000 I BLAME CLINTON'S Y2K czar for indirectly causing all these recent hacker attacks. Internet users weep in despair because John Koskinen took the banana out of his ear too soon. Janet Reno should arrest him for crimes against cybermanity.
MSNBC called it "the largest com­pu­ter attack on the Inter­net in memory." Yeah, I my­self barely re­mem­ber 1999. That was what, a mil­len­nium ago? Poor Melissa, poor Chernobyl, we hardly knew ye...
MSNBC also wailed "secu­rity ex­perts [are] worried that the cur­rent assaults are unstoppable." MSNBC cybercrime reporter Bob Sullivan initially labeled it "the largest computer attack on the Internet in memory." Yeah, I myself barely remember 1999. That was what, a millennium ago? Poor Melissa, poor Chernobyl, we hardly knew ye... Sullivan also wrote "security experts [are] worried that the current assaults are unstoppable." {sniffle} Mom, I miss the Internet already! Let's pause briefly for a paragraph of silence...
. I see someone moaned the obligatory "wake-up call" phrase. " 'This is a wake-up call in many ways," [Commerce Secretary William M. Daley] said at the press conference. 'This just confirms what many of us have been saying for the past two years.' " CERT emeritus Kenneth Van Wyck joined the chorus: "This should send a wake-up message to e-commerce sites." ("Two years"?) The Computer-in-Chief himself stepped forward to mitigate this e-crisis. CNN reported "President Clinton said the federal government is looking into what it can do to stop the attacks." One whitehouse.gov solution: convene a summit meeting. I feel safer already. Clinton? Reno? Daley? Politicians love to take advantage of a sexy computer security story. Remember when NJ governor Christie Whitman rode on the coattails of Melissa? (Everybody did, but let's not digress.) Okay, you're probably too young to remember what happened waaaaay back in 1999. I tell you, those were the good ol' days. CNN offered a cute link for people who don't understand what "denial of service" means. The link said "check here to see how a denial of service attack works." Boring, boring, boring. You should check here to see how an attack works. Follow the instructions very carefully (don't say I didn't warn you). And of course someone put a price tag on global damages. We can't document the impact of these attacks ... yet we can somehow estimate worldwide losses with an accuracy of plus-or-minus $100 million:
The wave of hacker attacks that this week temporarily disabled popular Web sites like Yahoo and eBay may have cost the industry in excess of $1.2 billion, according to an estimate released Thursday by one market research firm. The Yankee Group arrived at the $1.2 billion figure by estimating revenue losses at the affected Web sites, losses in market capitalization, and the amount that will be spent upgrading security infrastructures as a result of the attacks, according to the research firm. What's more, the situation could get worse in the foreseeable future, according to Matthew Kovar, the senior Yankee Group analyst who compiled the estimate.
"Secu­rity experts inter­viewed by CNET News.com ques­tioned the FBI's prowess ... noting that sleuthing in cyber­space is far dif­ferent from hunting down a band of drug smug­glers... Com­poun­ding such doubts, FBI offi­cials were caught off guard with some basic questions."
Notice how they included "the amount that will be spent upgrading security infrastructures as a result of the attacks." Patently absurd! It's like suing your burglar for the cost of the door locks you never bothered to purchase. Or to put it another way, it's like billing a single student for antivirus software the school district never bothered to purchase. At any rate, it doesn't matter right now if Yankee Group used a valid cost-projection model. We first need to determine if they obtained valid micro-economic data. When it comes to computer security, "victimized firms" pull dollar values out of thin air with no backing data. I therefore must assume Yankee Group derived macro-economic figures from arbitrary micro-economic data. We're talking Economics 101 here, yet history tells us this $1.2B figure will appear in vendors' press releases. "Empirical evidence" remains a lofty goal in the anecdotal world of computer security. Ah, but I digress... A Reuters newswire states these attacks avoided U.S. military networks. Call it a "missing computer formation" — I think the perpetrator(s) wanted to show a sign of respect for outgoing DoD fearmonger John Hamre. It saddens me when companies overreact in the name of computer security. Stamps.com, for example, "decided to 'proactively take down the service for a brief time,' a company spokesman told to MSNBC. 'We were down for about 30 minutes until we were sure that our site was secure, the spokesman said. Few customers were affected, the spokesman said."
"Hackers might shut down Stamps.com before FBI agents catch them. As a pre­cau­tion, we will shut down Stamps.com until FBI agents catch them."
Hmmm. Did Yankee Group include the Stamps.com precautionary disconnect in their $1.2 billion estimate? Internet provider HarvardNet took a different path — they changed "over 9,000" email passwords. Did they do it as a precaution? It depends on who you believe at HarvardNet. A notice on the website claims they did it "in response to an attempt to access a HarvardNet server." However, an irate customer (reliability unknown) forwarded this eye-popping email:
As you may have heard, several large service providers were attacked over the past two days. In a proactive security measure, we decided to change all email passwords of our Maine dial-up to computer-generated passwords in order to protect our customers and ourselves against a security breach. To receive your new password, please call HarvardNet customer care at 1-800-772-6771. You will need to present your customer ID number to verify your identity before our customer service representatives will provide you with a new, computer-generated password. As we are experiencing an overwhelming number of calls, your patience is greatly appreciated. We apologize for any inconvenience this may have caused you. Thank you for your patience and understanding. HarvardNet staff
This "proactive security measure" translates into a precautionary disconnect for 9000+ customers. A recording at the 800 number told customers to dial one of two local numbers. Repeated attempts to validate the above email failed due to (you guessed it!) overwhelming busy signals. HarvardNet obviously can invoke the "CSC email defense" if they wish. "Our secretary wrote it for us in haste! Yeah, a newly hired secretary. Still on probation. She doesn't even know how to type, let alone use a computer. Yeah. The boss hired her 'cuz she's a fox. Yeah, that's the ticket! We were attacked, but she didn't say it in that email of hers..." Can you say "ouch"? Trust me: HarvardNet will never again pull a stunt like this one. I urge customers to demand a pro-rated fee for the inconvenience. Notify Yankee Group so they can tack your refund onto their global damages estimate. (Don't let HarvardNet talk you out of compensation! Hotels, restaurants, airlines, manufacturers, even phone companies make amends when something under their control goes wrong. Why not an ISP, too? Management protected you from something under their control "to ensure the security of [your] email." They should compensate you if asked. Consult your local BBB office if you need guidance.)
THEN AGAIN, PERHAPS the Internet will survive the onslaught of deadly, unstoppable "assault weapons." Yahoo! described the attacks against them as mostly an "inconvenience" and eBay labeled their own monetary losses as "fairly insignificant."
Navy INFOCON status, 2/12/00
Navy INFOCON status, 2/12/00
Navy INFOCON status, 2/12/00
It sounds incredible, but the U.S. Navy declared itself in "INFOCON Normal" when I checked early yesterday. The graphics shown at right came directly from www.infosec.navy.mil. Worldwide media hysteria did not affect their security posture ... and now you know why I so seldom pick on the Navy & Marines. LANlubbers at the Pentagon could learn a few things from cyber-swabbies. (Crud! I just blew my entire yearly allotment for puns and it ain't even March.) ZDNet pundit Larry Dignan believes victim companies gained more in free publicity than they lost in downtime. "For some companies," he mused, "a little hacking adversity could be a springboard to bigger things. Buy.com (Nasdaq: BUYX) gets hacked the day of its IPO, but shares don't miss a beat. Why? Buy.com was important enough to get hacked in the first place. The hack attack [also] probably distracted investors from focusing on the land mines disclosed in regulatory findings." Individuals wrote me to say they noticed "nothing unusual" at some of the victimized firms. One person (assumed reliable) who spoke by phone testified his browser can't always reach Amazon.com. "I tried again later, as usual," he shrugged. I myself regularly fail to retrieve a full ZDNet page on the first try. They've been "attacked" non-stop for months if you ask me — and they're being hacked even as I write. ZDNet suffered a devastating cyber-attack on 2/11/00, for example. Quick, somebody! Notify a ZD router guru before the end of the year. A 'Y2K virus watch' on 2/12/00? Uh-oh, ZDNet suffered another devastating cyber-attack on 2/12/00. This time, terrorists added a "Y2K virus watch" link near the top of the page. Quick, somebody! Notify a ZD webmaster before the millennium truly ends. Two news.com staff writers came right out and said it: "despite doomsaying, the Net will survive." Evan Hansen & Jim Hu started off by noting the attacks "[inspired] a level of Internet doomsaying not heard since the peak of millennium-bug mania last year." (Six weeks ago is "last year." Like I said: waaaaay back in 1999.) So the Internet might survive after all. I probably should ask Reno not to arrest Koskinen, eh? At least not just yet. Nobody wants the FBI to come out looking foolish.
ONE ZDNN STORY cautions how, "from a legal standpoint, downplaying the attacks may not be the best approach for these sites, according to San Francisco lawyer Marc Bernstein, who specializes in Internet issues. 'It may hurt their case if the affected Internet companies downplay it,' said Bernstein. 'Those statements might end up being used by a criminal defendant in an effort to prove the damage they did was minimal." The truth hurts — so let's all conspire to keep quiet. We don't want to affect the verdict handed down by a kangaroo court. Bernstein shouldn't worry about punishing the cyber-guilty. Urban legends kept Kevin Mitnick behind bars for years without a trial; prosecutors railroaded David "complete idiot" Smith in similar fashion. Reno just needs to round up a suspect and assign the case to a media hound. I'd like to nominate deputy attorney general Eric Holder to try this baby. He certainly sounds like a media hound to me! Check out this juicy quote:
These [attackers] are people who are criminals, and we will do all that we can to find them, to prosecute them and to put them in jail. We don't consider this to be a prank... At least part of the drop that we saw [in] the Dow [and] the Nasdaq, was attributable to what we saw happening in these attacks. So that points out a reason why these things have to be taken extremely seriously and dealt with in that way.
A lawyer said quotes about "insig­ni­fi­cant" losses may hurt prose­cu­tion efforts. News flash: the truth hurts.
Now hold on just a minute! Did the NASDAQ drop because of these attacks? I thought... Oops, my mistake: only computer security stocks rose as a direct result of these attacks. Then again, security stocks dipped waaaaay back in 1999 during the original hysteria surrounding Y2K. (Again, I blame Clinton's dastardly Y2K czar and I hope he rots in prison.) Uh-oh, ZDNet suffered yet another devastating cyber-attack on 2/12/00. Quick, somebody! Notify a ZD router guru before the end of the year. Time for me to stop writing — I feel a sudden urge to invoke a precautionary disconne